The path to cyber resilience:
sense, resist, react
EY 19th Global Information
Security Survey 2016–17
Power and utilities sector results
Global findings
EY’s Global Information Security Survey (GISS) investigates the most important cybersecurity issues facing organizations today. It covers more than 20
industry sectors and captures the responses of 1,735 participants around the globe, including 81 from the power and utilities (P&U) sector. We base our
findings on those insights and our extensive global experience of working with P&U clients to help them improve their cybersecurity programs.
Growth in digital and connected devices, along with the convergence of information technology (IT) and operations technology (OT) systems, have
increased the significance of cyber attacks on critical infrastructure, including the power grid. Utilities are making progress in the way they sense and
resist today’s cyber attacks and threats. But the GISS results also indicate the need for improved resilience in being better prepared to respond and
recover from cyber incidents so that safe and reliable operations can be restored and maintained.
The state of cyber resilience
The threat landscape changes and presents new
challenges every day. Over decades, utilities have
learned to defend themselves and respond better to
potentially catastrophic events. Commodity supply
shocks, storms, natural disasters, equipment failure,
terrorist attacks and the growth in cybercrime
have all driven utilities to improve their approach to
business resilience and risk management.
Cyber resilience is a subset of business resilience. It
focuses on how effective utilities are in implementing
the following critical components:
Key findings
1. Inadequate security operating models are exacerbated by budget pressures
89%
have had a recent significant
cybersecurity incident.
58%
React
React is the readiness capabilities of the utility
to deal with disruptions through emergency
management, incident response, crisis management
and forensic investigations. As the data-driven
grid and digitization of utilities evolves, resilience
in cybersecurity and business continuity will be
increasingly tested and relied upon.
Download the report at ey.com/powergiss.
39%
do not have a
communications plan in place
in the event of a significant
attack.
3. A skilled cyber workforce is essential to keep pace with evolving utility threats
rated security awareness and
training as a high security
priority.
Resist
Resist mechanisms are basically the corporate
shield. They look at how much risk a utility is
prepared to take across its enterprise, and then
establish the required controls to manage it to that
level. Compliance with regulatory standards continue
to play an important role as utilities mature to a riskbased model — the US is leading the way in defending
critical infrastructure while Europe is making
important progress in privacy and data protection.
39%
need a budget increase
of at least 25% to achieve
management’s desired level
of risk tolerance.
2. Reputational risks are rising
Sense
Sense is the ability of utilities to leverage intelligence
capabilities to identify, anticipate, and detect cyber
threats and attacks proactively across their entire
digital ecosystem. Security awareness should extend
to both internal and external stakeholders, including
vendors and third parties.
say their cybersecurity function
does not fully meet their
needs, and only 53% of P&U
respondents have a security
operations center (SOC).
58%
84%
consider careless employee
actions to be the most likely
source of a cyber attack.
4. The rise of digital and the internet of things (IoT) is creating significant challenges
79%
say poor user awareness
and behavior around mobile
devices are major risks for
their organization.
59%
do not have a role within the
security function focused
on web-enabled devices and
the IoT.
5. Leadership and governance around cybersecurity is lacking
35%
say there is a lack of executive
awareness and support, which is
challenging the effectiveness of
cybersecurity.
12%
say their boards comprise a
member directly responsible
for cybersecurity.
The cyber-resilient utility
Defends the critical assets — the crown jewels
Threats
Sense
ate shield
Corpor
Risk tolerance
Three lines of defense
Resist
Embraces an “all in it together” attitude
Critical assets
React
Physical and
cyber assets
Revenue
Respond and recover
For utilities, safe and reliable delivery of electric, gas and water is mission
critical. The increasingly complex risk landscape is creating potentially
serious cybersecurity issues for critical infrastructure, data protection and
privacy. A resilient security operating model goes beyond compliance by
managing the risks that matter most and deploying valuable resources to
where they are most needed.
Reputation
Adapt and reshape
Cyber resilience encompasses three different stages: sense, resist and
react. While utilities strive to be agile and prevent the next threat from
becoming a reality, the fact of the matter is that they cannot prevent all
threats. Cyber resilience is about having the capability to withstand and
recover from an attack while simultaneously keeping the lights on.
Today’s emergency services: the cyber breach
response program
Given the likelihood of suffering a cyber breach, utilities must develop a
strong, centralized response framework as part of their overall enterprise
risk management strategy.
This can be achieved with a centralized cyber breach response program
(CBRP) as the focal point. The CBRP brings together a wide variety of
stakeholders that must collaborate to resolve a breach and manage the
day-to-day operational and tactical response. It is staffed with in-depth
legal and compliance experience, as cyber events can trigger complex
legal and regulatory issues with an impact on financial statements.
The CBRP goes beyond the capacity of a traditional program management
office. It can help verify that:
•• An organization’s business continuity plan is appropriately implemented
•• A communication and briefing plan among all internal stakeholders is
developed and enforced
•• All breach-related inquiries received from external and internal groups
are centrally managed
In addition, it oversees the process of evidence identification, collection
and preservation, forensic data analysis and impact assessment, and can
also direct and modify the investigation on the basis of fact pattern.
A robust CBRP, therefore, supports a cost-effective response that
mitigates breach impacts by integrating the stakeholders and their
knowledge, and helps the utility navigate the complexities of working with
outside legal counsel, regulators and law enforcement agencies.
Key characteristics of a cyber-resilient utility
Thinks strategically
With so much disruption happening in the P&U sector, questions around
the cybersecurity implications of digital transformation often get lost.
Cyber resilience demands a comprehensive, enterprise-wide response —
an in-depth understanding of the external and internal drivers of change
across the business and operational landscape. This is an opportunity
for utilities to think outside of the box to understand risk tolerance
and to identify options for decision-making under uncertainty that
strengthen security posture.
Understands the cyber threat
Utilities need to map and assess security controls across physical assets,
digital infrastructure and business processes to identify cyber risk and
capabilities. In the survey, only 27% confirmed that their security function
focused on the IoT. This is a concern for utilities, given the vulnerability of
connected devices to hackers and the potential for an IoT cyber incident
to disrupt grid operations.
Collaborating with industry stakeholders and government agencies
improves understanding of evolving threats and approaches to risk
mitigation. Sharing information externally allows utilities to assess
their security posture, expose any gaps and contribute to the latest
developments in policies, standards and leading practice.
Establishes a risk-enabled culture with exceptional
leadership
Clear communication, direction and example setting from leadership is
essential for raising the awareness and focus on security to the same
level of priority as health and safety. All utility employees, contractors and
suppliers need to have a stake in protecting the company, and everyone is
a risk manager from the CEO down. Employees need to feel empowered
and safe to speak up or potentially stop a job when they notice something
suspicious, whether it’s unusual behavior at a work site or an unapproved
device connected to a network.
Adopts an integrated, agile approach to managing risk
Confusion on roles and responsibilities may be contributing to a less
effective risk environment. Integration, alignment and coordination of
activities offers an opportunity for greater effectiveness, efficiency and
coordination of enterprise-wide resources. Greater agility allows the utility
to evolve and improve over time and respond to changing technologies,
processes and standards.
Provides effective governance and oversight
A three lines of defense operating model supports an objective second
line focused on providing security governance and oversight of the
performance, and execution of security controls by the first-line operations
and business units. This includes a comprehensive mapping of key cyber
risks to organizational roles and responsibilities.
If you would like to find out more about EY Global P&U risk and
cybersecurity offerings, please contact:
Matt Chambers
(Houston, US)
+1 713 750 5944
Gavin Webb
(London, UK)
+44 7841 494311 [email protected]
Charlie Offer
(Melbourne, Australia)
+61 3 9288 8104 [email protected]
[email protected]
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality
services we deliver help build trust and confidence in the capital markets and in economies the
world over. We develop outstanding leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a better working world for our people,
for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of
Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not provide services to clients. For more
information about our organization, please visit ey.com.
© 2017 EYGM Limited.
All Rights Reserved.
EYG no. 00545-174Gbl
BMC Agency
GA 0391_09509
ED None.
This material has been prepared for general informational purposes only and is not intended to be relied upon as
accounting, tax or other professional advice. Please refer to your advisors for specific advice.
ey.com/powergiss